New NIST cybersecurity standards could pose liability risks

Critical infrastructure companies could face new liability risks if they fail to meet voluntary cybersecurity standards being developed by the National Institute of Standards and Technology.

The slated release of a draft of the standard on Thursday was delayed, apparently due to the federal government shutdown. NIST's main website was shuttered on Thursday.

The standards effort was launched after an Executive Order by President Barack Obama earlier this year.

A preliminary version of the draft standard has been floating around for several weeks, however.

The formal draft version, when released, will be available for public review until February 2014, according to the original schedule. Once the review is complete, will release a final version of the standards that incorporates changes recommended by stakeholders.

The NIST cybersecurity framework is designed to serve as a security best practices guide for organizations in critical infrastructure sectors, like power, telecommunications, financial services and energy.

The framework was developed with input from industry stakeholders.

It is not designed to mandate specific security controls. Rather, it offers broad standards for identifying and protecting critical data, services and assets against cyber threats. It offers a set of best practices for detecting and responding to an attack, mitigating the fallout from cyber incidents and for managing risks overall.

Obama issued the Executive Order in February to address, what he said was an immediate need to protect critical infrastructure targets against cyberattacks. Administration officials said the order came only after repeated failures by Congress to pass meaningful cybersecurity legislation.

Participation in the standards program is voluntary. The Executive Order leaves it up to the federal agencies in charge of each critical sector to push adoption of the standards through a combination of incentives and other market driven means.

In practice though, critical infrastructure owners and operators will likely be left with little choice but to follow the standards, or at least show they have comparable security measures in place, said Jason Wool, an attorney with Venable LLP, a Washington D.C-based law firm.

Companies that ignore the standards and are breached will open themselves up to negligence, shareholder and breach of contract lawsuits along with other liability claims. The standards will likely be viewed as the minimum level of care and integrity within critical infrastructure sectors, Wool noted.

"You don't have to adopt these standards. But the fact that this framework [spells out] activities that are recommended for cybersecurity, establishes a bar that companies need to meet," Wool said. "The framework requires, at minimum, that owners and operators of critical infrastructure look at themselves and do a gap analysis."

Even companies that don't adopt the standards need to show what they are doing is as effective.

"If a company gets sued, it should be able to provide some evidence that they took a look at the standards, performed a risk assessment and were managing their risk in a reasonable manner, Wool said.

Scott Vernick, an attorney at Fox Rothschild in Philadelphia said that there is a good chance that the NIST standards will eventually become sector-specific regulations overseen by the federal agencies in charge of various critical infrastructure areas. At that point, covered entities will have no choice but to adopt the standards, he suggested.

Even if that's wrong, "once NIST finishes its work, the Plaintiffs Bar will point to it as the standard," Vernick said. Critical infrastructure owners and operators should, at a minimum, determine how their security measures stack up against the standard, he said.

Companies should also consider joining information sharing initiatives and other cybersecurity forums to show they are making an effort to understand new threats, he said. "This really is an area where an ounce of prevention is worth a pound of cure."

Ironically, even companies that do adopt the framework may not be free from liability risks, experts say.

For instance, some of the provisions for protecting personally identifiable information (PII), could be pose problems for critical infrastructure companies, said Stewart Baker, former assistant secretary for policy under the George W. Bush administration, in a blog post.

The privacy appendix would require that companies take extensive measures to protect PII while carrying out cybersecurity functions, said Baker now an attorney in the Washington office of the Steptoe & Johnson LLP law firm.

For example, companies that want to share threat-information with other firms will have to first scrub the data so it's clean of personally identifiable information.

Baker said the requirements in the draft document are ambiguous and open to interpretation.

Companies that share threat information containing personal data, like IP addresses and email addresses, face few legal consequences as long as the government is kept out of the picture.

"Once the NIST privacy appendix takes effect, though, private cybersecurity sharing will slow to a crawl as lawyers try to anticipate whether every piece of data has been screened for PII and for relevance," Baker noted. "In short, under the NIST framework, pretty much every serious cybersecurity measure in use today will come with new limits and possibly new liability," he said.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.